[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd issue



Philip Bellino wrote:
Hello,
I am running slapd(openldap-2.3.32) on a linux host. I am also running openldap-2-32-3 on a linux client.
If I use the "allow_bind_v2" switch in the slapd.conf file, I can do anonymous simple binds from the client to the server over TCP with no problems. I can also do simple login/password authentication with no problems.

Anonymous Simple Binds are allowed regardless of the "allow_bind_v2" option. As its name implies, that option only controls whether to accept Binds that specify LDAPv2. That option defaults to off and generally should stay off. LDAPv3 has been around for 10 years already and LDAPv2 was officially retired 4 years ago; there's no good reason for anybody to still be using it now.


I now an trying to use v3 secure connections. When I attempt to authenticate, I get the following errors from the slapd logs (in bold):

TLS trace: SSL_accept:SSLv3 flush data
*tls_read: want=5 error=Resource temporarily unavailable*
*TLS trace: SSL_accept:error in SSLv3 read client certificate A*
*TLS trace: SSL_accept:error in SSLv3 read client certificate A*

This error was ignored by slapd, otherwise the log would have shown the connection being closed here. This behavior is normal, since you didn't require client certificate verification.


daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
daemon: epoll: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read active on 14
connection_get(14)
connection_get(14): got connid=0
connection_read(14): checking for input on id=0
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
*TLS trace: SSL3 alert read:fatal:unknown CA*
*TLS trace: SSL_accept:failed in SSLv3 read client certificate A*
*TLS: can't accept.*
*TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1057*
*connection_read(14): TLS accept failure error=-1 id=0, closing*
connection_closing: readying conn=0 sd=14 for close
connection_close: conn=0 sd=14

This shows that the client sent an "unknown CA" message to the server and that the client considered it a fatal error, and closed the connection.


It loks to me as is slapd is trying to read the client certificate even though my slapd.conf file entry "*TLSVerifyClient never*" is set. I am new to this all, so I do not know if I am interpreting this correctly or not.

That is not the important part of the trace.

Any help would be most appreciated.

Read the Admin Guide section on Using TLS. http://www.openldap.org/doc/admin23/tls.html


Thanks, Phil Bellino ============================ Phil Bellino MRV Communications, Inc. Boston Product Division 295 Foster St. Littleton,MA 01460 Tel: (978)952-4807 Email: pbellino@mrv.com ============================
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/